Image capture devices for a secure industrial control system

ABSTRACT

An image capture device for a secure industrial control system is disclosed. In an embodiment, the image capture device includes: an image sensor; a signal processor coupled to the image sensor; and a controller for managing the signal processor and transmitting data associated with processed image signals to at least one of an input/output module or a communications/control module via a communications interface that couples the controller to the at least one of the input/output module or the communications/control module, wherein the controller is configured to establish an encrypted tunnel between the controller and the at least one of the input/output module or the communications/control module based upon at least one respective security credential of the image capture device and at least one respective security credential of the at least one of the input/output module or the communications/control module.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation-in-part of U.S. patentapplication Ser. No. 14/942,304, filed Nov. 16, 2015, and titled “SECUREINDUSTRIAL CONTROL SYSTEM,” which is a continuation of U.S. patentapplication Ser. No. 14/469,931 (issued as U.S. Pat. No. 9,191,203),filed Aug. 27, 2014, and titled “SECURE INDUSTRIAL CONTROL SYSTEM,”which is a continuation of International Application No.PCT/US2013/053721, filed Aug. 6, 2013, and titled “SECURE INDUSTRIALCONTROL SYSTEM.” The present application is also a continuation-in-partof U.S. patent application Ser. No. 14/519,066, filed Oct. 20, 2014, andtitled “OPERATOR ACTION AUTHENTICATION IN AN INDUSTRIAL CONTROL SYSTEM.”The present application is also a continuation-in-part of U.S. patentapplication Ser. No. 15/287,937, filed Oct. 7, 2016, and titled“INDUSTRIAL CONTROL SYSTEM REDUNDANT COMMUNICATIONS/CONTROL MODULESAUTHENTICATION, which is a continuation of U.S. patent application Ser.No. 14/519,047 (issued as U.S. Pat. No. 9,467,297), filed Oct. 20, 2014,and titled “INDUSTRIAL CONTROL SYSTEM REDUNDANT COMMUNICATIONS/CONTROLMODULES AUTHENTICATION.” The present application is also acontinuation-in-part of U.S. patent application Ser. No. 14/597,498,filed Jan. 15, 2015, and titled “ELECTROMAGNETIC CONNECTOR,” which is acontinuation of U.S. patent application Ser. No. 13/341,143, filed Dec.30, 2011, and titled “ELECTROMAGNETIC CONNECTOR.” The presentapplication is also a continuation-in-part of U.S. patent applicationSer. No. 15/247,998, filed Aug. 26, 2016, and titled “SWITCH FABRICHAVING A SERIAL COMMUNICATIONS INTERFACE AND A PARALLEL COMMUNICATIONSINTERFACE, which is a continuation of U.S. patent application Ser. No.14/501,974 (issued as U.S. Pat. No. 9,436,641), filed Sep. 30, 2014, andtitled “SWITCH FABRIC HAVING A SERIAL COMMUNICATIONS INTERFACE AND APARALLEL COMMUNICATIONS INTERFACE,” which is a continuation of U.S.patent application Ser. No. 13/341,161 (issued as U.S. Pat. No.8,862,802), filed Dec. 30, 2011, and titled “SWITCH FABRIC HAVING ASERIAL COMMUNICATIONS INTERFACE AND A PARALLEL COMMUNICATIONSINTERFACE.” The present application is also a continuation-in-part ofU.S. patent application Ser. No. 15/289,613, filed Oct. 10, 2016, andtitled “COMMUNICATIONS CONTROL SYSTEM WITH A SERIAL COMMUNICATIONSINTERFACE AND A PARALLEL COMMUNICATIONS INTERFACE, which is acontinuation of U.S. patent application Ser. No. 14/502,006 (issued asU.S. Pat. No. 9,465,762), filed Sep. 30, 2014, and titled“COMMUNICATIONS CONTROL SYSTEM WITH A SERIAL COMMUNICATIONS INTERFACEAND A PARALLEL COMMUNICATIONS INTERFACE,” which is a continuation ofU.S. patent application Ser. No. 13/341,176 (U.S. Pat. No. 8,868,813),filed Dec. 30, 2011, and titled “COMMUNICATIONS CONTROL SYSTEM WITH ASERIAL COMMUNICATIONS INTERFACE AND A PARALLEL COMMUNICATIONSINTERFACE.”

Each of the patents and patent applications cross-referenced above isincorporated herein by reference in its entirety.

BACKGROUND

Industrial control systems, such as standard industrial control systems(ICS) or programmable automation controllers (PAC), include varioustypes of control equipment used in industrial production, such assupervisory control and data acquisition (SCADA) systems, distributedcontrol systems (DCS), programmable logic controllers (PLC), andindustrial safety systems certified to safety standards such asIEC61508. These systems are used in industries including electrical,water and wastewater, oil and gas production and refining, chemical,food, pharmaceuticals and robotics. Using information collected fromvarious types of sensors to measure process variables, automated and/oroperator-driven supervisory commands from the industrial control systemcan be transmitted to various actuator devices such as control valves,hydraulic actuators, magnetic actuators, electrical switches, motors,solenoids, and the like. These actuator devices collect data fromsensors and sensor systems, open and close valves and breakers, regulatevalves and motors, monitor the industrial process for alarm conditions,and so forth.

In other examples, SCADA systems can use open-loop control with processsites that may be widely separated geographically. These systems useRemote Terminal Units (RTUs) to send supervisory data to one or morecontrol centers. SCADA applications that deploy RTU's include fluidpipelines, electrical distribution and large communication systems. DCSsystems are generally used for real-time data collection and continuouscontrol with high-bandwidth, low-latency data networks and are used inlarge campus industrial process plants, such as oil and gas, refining,chemical, pharmaceutical, food and beverage, water and wastewater, pulpand paper, utility power, and mining and metals. PLCs more typicallyprovide Boolean and sequential logic operations, and timers, as well ascontinuous control and are often used in stand-alone machinery androbotics. Further, ICE and PAC systems can be used in facility processesfor buildings, airports, ships, space stations, and the like (e.g., tomonitor and control Heating, Ventilation, and Air Conditioning (HVAC)equipment and energy consumption). As industrial control systems evolve,new technologies are combining aspects of these various types of controlsystems. For instance, PACs can include aspects of SCADA, DCS, and PLCs.

Industrial systems are evolving in a similar manner to the “internet ofthings” but with much higher security, reliability, and throughputrequirements. Security at all levels is needed. This includes edgedevices, which can be a way into the system for malicious actors if leftunsecured.

SUMMARY

Implementations of image capture devices (e.g., cameras) for a secureindustrial control system are disclosed herein. An image capture devicecan include an image sensor, a signal processor coupled to the imagesensor, and a controller for managing the signal processor. Thecontroller can also be configured to transmit data associated withprocessed image signals to one or more devices coupled to the imagecapture device. For example, the controller can transmit data associatedwith processed image signals (e.g., encoded image frames, metadata,etc.) to an input/output module and/or a communications/control modulevia a communications interface that couples the controller to theinput/output module and/or communications/control module. Inembodiments, the controller is configured to establish an encryptedtunnel between the controller and the input/output module and/orcommunications/control module based upon at least one respectivesecurity credential of the image capture device and at least onerespective security credential of the input/output module and/orcommunications/control module. The controller can also be configured toperform an authentication sequence with the input/output module and/orcommunications/control module utilizing the at least one respectivesecurity credential of the image capture device and the at least onerespective security credential of the input/output module and/orcommunications/control module, whereby the image capture device can beauthenticated and given permissions to transmit and/or receiveinformation from the input/output module and/or communications/controlmodule, and/or other components of the secure industrial control system.

This Summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used as an aid in determining the scope of the claimed subjectmatter.

DRAWINGS

The Detailed Description is described with reference to the accompanyingfigures. The use of the same reference numbers in different instances inthe description and the figures may indicate similar or identical items.

FIG. 1 is a block diagram illustrating a secure industrial controlsystem, in accordance with an embodiment of this disclosure.

FIG. 2 is a block diagram illustrating an image capture device for asecure industrial control system, in accordance with an embodiment ofthis disclosure.

FIG. 3 is a block diagram illustrating a switch fabric for acommunications backplane of a secure industrial control system, inaccordance with an embodiment of this disclosure.

FIG. 4 is a block diagram illustrating an action authentication path fora secure industrial control system, in accordance with an embodiment ofthis disclosure.

FIG. 5 is a block diagram further illustrating the action authenticationpath shown in FIG. 4, in accordance with an embodiment of thisdisclosure.

FIG. 6 is a block diagram illustrating an authentication sequencebetween an image capture device and an input/output module (IOM) orcommunications/control module (CCM) of a secure industrial controlsystem, in accordance with an embodiment of this disclosure.

DETAILED DESCRIPTION Overview

Industrial systems are evolving in a similar manner to the “internet ofthings” with high security, reliability, and throughput requirements.Security at all levels is needed. This includes edge devices, which canbe a way into the system for malicious actors if left unsecured. Forexample, surveillance cameras, though often thought of as “securitydevices,” can be vulnerable access points into an industrial controlsystem. In some instances, a counterfeit or hacked camera can be used togain unauthorized entry to an industrial control system in order to gainaccess to video footage or other information, or even to introducefictitious video footage (e.g., for purposes of tripping a false alarm,etc.). In some instances, a camera network connection can be used toworm malware into non-camera network databases, for example, as an entrypoint for malicious code to gain remote access, steal or tamper withcontrol system information, and so forth.

Implementations of image capture devices (e.g., cameras) for a secureindustrial control system are disclosed herein. In embodiments, an imagecapture device for a secure industrial control system can include animage sensor, a signal processor coupled to the image sensor, and acontroller for managing the signal processor. The controller can also beconfigured to transmit data associated with processed image signals toone or more devices coupled to the image capture device. For example,the controller can transmit data associated with processed image signals(e.g., encoded image frames, metadata, etc.) to an input/output moduleand/or a communications/control module via a communications interfacethat couples the controller to the input/output module and/orcommunications/control module. In embodiments, the controller isconfigured to establish an encrypted tunnel between the controller andthe input/output module and/or communications/control module based uponat least one respective security credential of the image capture deviceand at least one respective security credential of the input/outputmodule and/or communications/control module. The controller can also beconfigured to perform an authentication sequence with the input/outputmodule and/or communications/control module utilizing the respectivesecurity credential of the image capture device and the respectivesecurity credential of the input/output module and/orcommunications/control module, whereby the image capture device can beauthenticated and given permissions to transmit and/or receiveinformation from the input/output module and/or communications/controlmodule, and/or other components of the secure industrial control system.For example, transmitted information can include, but is not limited to,captured images, video footage, spectral information (e.g., for fire,gas, and/or radiation detection), or combinations thereof.

Example Implementations

FIG. 1 illustrates an industrial control system 100 in accordance withan example embodiment of the present disclosure. In embodiments, theindustrial control system 100 may comprise an industrial control system(ICS), a programmable automation controller (PAC), a supervisory controland data acquisition (SCADA) system, a distributed control system (DCS),programmable logic controller (PLC), and industrial safety systemcertified to safety standards such as IEC1508, or the like. As shown inFIG. 1, the industrial control system 100 uses a communications controlarchitecture to implement a distributed control system that includes oneor more industrial elements (e.g., input/output (I/O) modules, powermodules, field devices, image capture devices (e.g., surveillancecameras, physical security cameras, specialized spectral detectioncameras (e.g., for fire, gas, and/or radiation detection), etc.),switches, workstations, and/or physical interconnect devices) that arecontrolled or driven by one or more control elements or subsystems 102distributed throughout the system. For example, one or more I/O modules104 may be connected to one or more communications/control modules 106(sometimes abbreviated as (CCMs)) making up the controlelement/subsystem 102.

The industrial control system 100 is configured to transmit data to andfrom the I/O modules 104. The I/O modules 104 can comprise inputmodules, output modules, and/or input and output modules. For instance,input modules can be used to receive information from input devices 130(e.g., sensors) in the process, while output modules can be used totransmit instructions to output devices (e.g., actuators). For example,an I/O module 104 can be connected to a process sensor for measuringpressure in piping for a gas plant, a refinery, and so forth and/orconnected to a process actuator for controlling a valve, binary ormultiple state switch, transmitter, or the like. Field devices 130 arecommunicatively coupled with the IO modules 104 either directly or vianetwork connections. These devices 130 can include control valves,hydraulic actuators, magnetic actuators, motors, solenoids, electricalswitches, transmitters, input sensors/receivers (e.g., illumination,radiation, gas, temperature, electrical, magnetic, and/or acousticsensors) communications sub-busses, and the like.

The I/O modules 104 can be used in the industrial control system 100 tocollect data in applications including, but not necessarily limited tocritical infrastructure and/or industrial processes, such as productmanufacturing and fabrication, utility power generation, oil, gas, andchemical refining; pharmaceuticals, food and beverage, pulp and paper,metals and mining and facility and large campus industrial processes forbuildings, airports, ships, and space stations (e.g., to monitor andcontrol Heating, Ventilation, and Air Conditioning (HVAC) equipment andenergy consumption).

In some implementations, the I/O modules 104 can also be used to connectimage capture devices 200 (e.g., cameras, such as surveillance cameras,physical security cameras, specialized spectral detection cameras, andthe like) to the industrial control system 100. In otherimplementations, image capture devices 200 can be connected viacommunications/control modules 106 or other inputs to a communicationsbackplane 116 that facilitates interconnectivity of industrial controlsystem elements, on-site and off-site (e.g., connectivity to network 120for enterprise systems/applications, external controlsystems/applications, engineering interface controlsystems/applications, external monitoring systems/applications,operator/administrator monitoring or control systems/applications, andthe like).

As shown in FIG. 2, an image capture device 200 includes an image sensor(e.g., a CMOS image sensor, CCD image sensor, or the like) having asignal processor 206 coupled to the image sensor 204. In embodiments,the image sensor 204 can have a lens or lens assembly 202 disposed overthe image sensor 204 for focusing light onto the image sensor 204. Thesignal processor 206 can be configured to receive image signals from theimage sensor 204 and apply one or more filters, adjust gain levels,convert the image signals from an analog format to a digital format, andso forth. The image capture device 200 can further include a codec 210for encoding the processed image signals into a data format that can bedecoded by end devices in the industrial control system 100. In someembodiments, an image capture device 200 includes a video enhancer foradjusting picture attributes (e.g., brightness, contrast, etc.), forexample, by boosting gain of one or more signal components before,after, or during signal processing (i.e., at the signal processor 206).The image capture device 200 further includes a controller 212 (e.g., amicrocontroller, microprocessor, ASIC, programmable logic device, or thelike) for managing the signal processor 206 components, circuitry,and/or modules of the image capture device 200. The controller 212 canalso be configured to transmit data associated with processed imagesignals to one or more devices coupled to the image capture device 200.For example, the controller 212 can transmit data associated withprocessed image signals (e.g., encoded image frames, metadata, etc.) toan input/output module 104 and/or a communications/control module 106via a communications interface 214 (e.g., transmitter, receiver, and/ortransceiver) that couples the controller 212 to the input/output module104 and/or communications/control module 106. In some embodiments, theinput/output module 104 and/or the communications/control module 106 isconfigured to pre-process or post-process image signals received fromthe image capture device 200 before transmitting the processed imagesignals to another industrial element of the secure industrial controlsystem or a network connected device. For example, the input/outputmodule 104 and/or the communications/control module 106 can beconfigured to perform an additional filtering, encoding, or encryptionof the processed image signals. In some embodiments, the communicationsinterface 214 includes a port configured to receive a wired connectionfor coupling the image capture device 200 to an external device (e.g.,IOM 104, CCM 106, or other industrial control system element). In otherembodiments, the communications interface 214 can include a wirelesstransmitter, receiver, and/or transceiver to facilitate wirelessconnectivity between the image capture device 200 and an externaldevice.

The communications interface 214 may comprise a Power Over Ethernet(POE) port for receiving power supplied by the external device. Forexample, the image capture device 200 may be coupled to a secureEthernet I/O module having POE capabilities. The I/O module 104 caninclude the BEDROCK SIO4.E Secure Ethernet Module or the like. In someembodiments, the I/O module 104 (e.g., BEDROCK SIO4.E Secure EthernetModule) comprises a multi-channel secure software configurable Ethernetmodule that can have software configurable protocols on each port,support for Ethernet I/P, Modbus TCP and OPC UA client, other Protocolsincluding Profinet and DNP3 planned, POE available on one or more portfor Ethernet powered device, and/or 10/100 Mbps half/full duplexcapability. In some implementations, the image capture device 200 isconfigured to transmit data associated with the processed images at abaud rate in the range of approximately 9600 and 10 M baud, with a framerate of 5 to 60 fps and 240 to 1080p resolution. For example, the imagecapture device 200 can be configured to transmit at 15 fps, 720p at 2Mbaud or less. These ranges are provided by way of example and shouldnot be considered restrictions of the present disclosure.

In embodiments, the image capture device controller 212 is configured toestablish an encrypted tunnel between the controller 212 and theexternal device (e.g., input/output module 104 or communications/controlmodule 106) based upon at least one respective security credential ofthe image capture device 200 and at least one respective securitycredential of the external device. The controller 212 can also beconfigured to perform an authentication sequence with the externaldevice utilizing the respective security credential of the image capturedevice 200 and the respective security credential of the externaldevice, whereby the image capture device 200 can be authenticated andgiven permissions to transmit and/or receive information from theinput/output module 104 and/or communications/control module 106, and/orother components of the secure industrial control system 100.

As discussed in further detail below, the respective security credentialof the image capture device 200 can comprise a unique securitycredential provisioned for the image capture device 200 by a keymanagement entity 124. For example, the unique security credential canbe provisioned at a respective point of manufacture (of the imagecapture device 200) from the key management entity 124. In someembodiments, the respective security credential is modifiable,revocable, and/or authenticatable by the key management entity 124 at asite different from the respective point of manufacture (e.g., when theimage capture device 200 is installed in the industrial control system100). Additionally or alternatively, the respective security credentialmay be modifiable, revocable, and/or authenticatable by the externaldevice (e.g., the input/output module 104 or the communications/controlmodule 106) or by another industrial control system element incommunication with the image capture device 200.

In some embodiments, the image capture device 200 may include aspecialty camera. For example, the one or more processed image signalsinclude spectral data detected by the image sensor 204. The controller212 can be configured to transmit the spectral data for monitoring oneor more industrial control system environmental conditions. For example,the image capture device 200 may be configured to monitor one or moreindustrial control system environmental conditions, including, but notlimited to, environmental presence of one or more of: fire, dust, smoke,micro-particles, heat, moisture, elevated pressure, gas, radiation, orthe like. In some embodiments, the image sensor 204 can comprise athermal image sensor, night vision image sensor, UV light sensor,infrared light sensor, or the like. In implementations, spectral datadetected by the image capture device 200 can trigger an alarm/alert(e.g., responsive to detecting a fire, gas leak, etc.).

Referring again to FIG. 1, I/O modules 104 can be configured to convertanalog data received from sensors to digital data (e.g., usingAnalog-to-Digital Converter (ADC) circuitry, and so forth). An I/Omodule 104 can also be connected to one or more process actuators suchas a motor or a regulating valve or an electrical relay and other formsof actuators and configured to control one or more operatingcharacteristics of the motor, such as motor speed, motor torque, orposition of the regulating valve or state of the electrical relay and soforth. Further, the I/O module 104 can be configured to convert digitaldata to analog data for transmission to the actuator (e.g., usingDigital-to-Analog (DAC) circuitry, and so forth). In implementations,one or more of the I/O modules 104 can comprise a communications moduleconfigured for communicating via a communications sub-bus, such as anEthernet bus, an H1 field bus, a Process Field Bus (PROFIBUS), a HighwayAddressable Remote Transducer (HART) bus, a Modbus, and so forth.Further, two or more I/O modules 104 can be used to provide faulttolerant and redundant connections for various field devices 130 such ascontrol valves, hydraulic actuators, magnetic actuators, motors,solenoids, electrical switches, transmitters, input sensors/receivers(e.g., illumination, radiation, gas, temperature, electrical, magnetic,and/or acoustic sensors) communications sub-busses, and the like.

Each I/O module 104 can be provided with a unique identifier (ID) fordistinguishing one I/O module 104 from another I/O module 104. Inimplementations, an I/O module 104 is identified by its ID when it isconnected to the industrial control system 100. Multiple I/O modules 104can be used with the industrial control 100 to provide redundancy. Forexample, two or more I/O modules 104 can be connected to a processsensor and/or actuator. Each I/O module 104 can include one or moreports that furnish a physical connection to hardware and circuitryincluded with the I/O module 104, such as a printed circuit board (PCB),and so forth. For example, each I/O module 104 includes a connection fora cable that connects the cable to a printed wiring board (PWB) in theI/O module 104.

One or more of the I/O modules 104 can include an interface forconnecting to other networks including, but not necessarily limited to:a wide-area cellular telephone network, such as a 3G cellular network, a4G cellular network, or a Global System for Mobile communications (GSM)network; a wireless computer communications network, such as a Wi-Finetwork (e.g., a Wireless LAN (WLAN) operated using IEEE 802.11 networkstandards); a Personal Area Network (PAN) (e.g., a Wireless PAN (WPAN)operated using IEEE 802.15 network standards); a Wide Area Network(WAN); an intranet; an extranet; an internet; the Internet; and so on.Further, one or more of the I/O modules 104 can include a connection forconnecting an I/O module 104 to a computer bus, and so forth.

The communications/control modules 106 can be used to monitor andcontrol the I/O modules 104, and to connect two or more I/O modules 104together. In embodiments of the disclosure, a communications/controlmodule 106 can update a routing table when an I/O module 104 isconnected to the industrial control system 100 based upon a unique IDfor the I/O module 104. Further, when multiple redundant I/O modules 104are used, each communications/control module 106 can implement mirroringof informational databases regarding the I/O modules 104 and update themas data is received from and/or transmitted to the I/O modules 104. Insome embodiments, two or more communications/control module 106 are usedto provide redundancy. For added security, redundantcommunications/control modules 106 can be configured to perform anauthentication sequence or handshake to authenticate one another atpredefined events or times including such as startup, reset,installation of a new control module 106, replacement of acommunications/control module 106, periodically, scheduled times, andthe like.

In some implementations, data transmitted by the industrial controlsystem 100 can be packetized, i.e., discrete portions of the data can beconverted into data packets comprising the data portions along withnetwork control information, and so forth. The industrial control system100 can use one or more protocols for data transmission, including abit-oriented synchronous data link layer protocol such as High-LevelData Link Control (HDLC). In some embodiments, the industrial controlsystem 100 implements HDLC according to an International Organizationfor Standardization (ISO) 13239 standard, or the like. Further, two ormore communications/control modules 106 can be used to implementredundant HDLC. However, it should be noted that HDLC is provided by wayof example only and is not meant to be restrictive of the presentdisclosure. Thus, the industrial control system 100 can use othervarious communications protocols in accordance with the presentdisclosure.

One or more of the communications/control module 106 can be configuredfor exchanging information with components used for monitoring and/orcontrolling the field devices 130 (e.g., sensor and/or actuatorinstrumentation) connected to the industrial control system 100 via theI/O modules 104, such as one or more control loop feedbackmechanisms/controllers. In implementations, a controller can beconfigured as a microcontroller/Programmable Logic Controller (PLC), aProportional-Integral-Derivative (PID) controller, and so forth. In someembodiments, the I/O modules 104 and the communications/control modules106 include network interfaces, e.g., for connecting one or more I/Omodules 104 to one or more controllers via a network. Inimplementations, a network interface can be configured as a GigabitEthernet interface for connecting the I/O modules 104 to a Local AreaNetwork (LAN). Further, two or more communications/control modules 106can be used to implement redundant Gigabit Ethernet. However, it shouldbe noted that Gigabit Ethernet is provided by way of example only and isnot meant to be restrictive of the present disclosure. Thus, a networkinterface can be configured for connecting the communications/controlmodules 106 to other various networks including, but not necessarilylimited to: a wide-area cellular telephone network, such as a 3Gcellular network, a 4G cellular network, or a GSM network; a wirelesscomputer communications network, such as a Wi-Fi network (e.g., a WLANoperated using IEEE 802.11 network standards); a PAN (e.g., a WPANoperated using IEEE 802.15 network standards); a WAN; an intranet; anextranet; an internet; the Internet; and so on. Additionally, a networkinterface can be implemented using a computer bus. For example, anetwork interface can include a Peripheral Component Interconnect (PCI)card interface, such as a Mini PCI interface, and so forth. Further, thenetwork can be configured to include a single network or multiplenetworks across different access points.

The industrial control system 100 can receive electrical power frommultiple sources. For example, AC power is supplied from a power grid108 (e.g., using high voltage power from AC mains). AC power can also besupplied using local power generation (e.g., an on-site turbine ordiesel local power generator 110). A power supply 112 is used todistribute electrical power from the power grid 108 to automationequipment of the industrial control system 100, such as controllers, I/Omodules, and so forth. A power supply 112 can also be used to distributeelectrical power from the local power generator 110 to the industrialcontrol system equipment. The industrial control system 100 can alsoinclude additional (backup) power supplies configured to store andreturn DC power using multiple battery modules. For example, a powersupply 112 functions as a UPS. In embodiments of the disclosure,multiple power supplies 112 can be distributed (e.g., physicallydecentralized) within the industrial control system 100.

In some embodiments, the control elements/subsystems and/or industrialelements (e.g., the I/O modules 104, the communications/control modules106, the power supplies 112, and so forth) are connected together by oneor more backplanes 114. For example, communications/control modules 106can be connected to I/O modules 104 by a communications backplane 116.Further, power supplies 112 can be connected to I/O modules 104 and/orto communications/control modules 106 by a power backplane 118. In someembodiments, physical interconnect devices (e.g., switches, connectors,or cables such as, but not limited to, those described in U.S.Non-provisional application Ser. No. 14/446,412, which is incorporatedherein by reference in its entirety) are used to connect to the I/Omodules 104, the communications/control modules 106, the power supplies112, and possibly other industrial control system equipment. Forexample, a cable can be used to connect a communications/control module106 to a network 120, another cable can be used to connect a powersupply 112 to a power grid 108, another cable can be used to connect apower supply 112 to a local power generator 110, and so forth.

The communications backplane 116 includes switch fabric 300 facilitatinginterconnectivity of industrial control system elements coupled via thecommunications backplane 116. For example, the communications backplane116 can physically and communicatively couple the communications/controlmodule 106 to the I/O module 104, and can further couple theseindustrial control system elements to the network 120 (e.g., providingaccess to enterprise devices, engineering controlinterfaces/applications, and so forth). The image capture device 200(and other devices 130) can be coupled to the communications backplane116 directly or via a communications/control module 106 or I/O module104 in order to facilitate access to high speed secure communicationthrough the switch fabric 300.

In embodiments, the switch fabric 300 comprises a serial communicationsinterface 302 and a parallel communications interface 304 for furnishingcommunications between a number of communications/control modules 106,I/O modules 104, image capture devices 200, field devices 130, and/orother elements of the industrial control system 100. Various elementscan be connected to the industrial control system 100 using one or moreelectromagnetic connectors. For instance, each I/O module 104 caninclude or can be coupled to one or more electromagnetic connectors orconnector assemblies, with core members extending through coils. In someembodiments, the coils can be implemented as planar windings on acircuit board. When included in an I/O module 104, the circuit board canbe “floated” against a partial spring load, allowing for some movementof the circuit board perpendicular to the plane of a core member, e.g.,to compensate for tolerances across the circuit board. For example, aself-holding spring loading mechanism can be provided in the module toprovide a constant downward pressure to facilitate mating of theelectromagnetic connection, compensating for stacked tolerances of themodule, PCB, and baseplate/support frame and ensuring a constant matingof both halves of an electromagnetic connector assembly.

In some embodiments, a “tongue and groove” configuration can be usedthat provides inherent fastening and support in three planes. Forexample, a printed circuit board included within an I/O module 104 canbe configured to slide along and between two track segments in adirection perpendicular to the plane of a core member. Further, a coremember can be mechanically isolated from (e.g., not touching) thecircuit board. It should be noted that the implementation with planarprimary and secondary windings is provided by way of example only and isnot necessarily meant to be restrictive of the present disclosure. Thus,other implementations can use other coil configurations, such as wirewound coils, and so forth. For example, the primary coil may comprise aplanar winding, and the secondary coil may comprise a wire wound coil.Further, the primary coil may comprise a wire wound coil, and thesecondary coil may comprise a planar winding. In other implementations,primary and secondary coils may both comprise wire wound coils.

The switch fabric 300 may be configured for use with any systemstechnology, such as telecommunications network technology, computernetwork technology, process control systems technology, and so forth.For example, the switch fabric 300 may be used with a distributedcontrol system comprised of controller elements and subsystems, wherethe subsystems are controlled by one or more controllers distributedthroughout the system. The switch fabric 300 includes a serialcommunications interface 302 and a parallel communications interface 304for furnishing communications with a number of slave devices.

The serial communications interface 302 may be implemented using a groupof connectors connected in parallel with one another. In someembodiments, the connectors may be configured as electromagneticconnectors/connector assemblies (e.g., as previously described). Forexample, the serial communications interface 302 may be implementedusing a multidrop bus 306, or the like. In implementations, themultidrop bus 306 may be used for configuration and diagnostic functionsof the I/O modules 104/slave devices. The parallel communicationsinterface 304 allows multiple signals to be transmitted simultaneouslyover multiple dedicated high speed parallel communication channels. Forinstance, the parallel communications interface 304 may be implementedusing a cross switch 308, or the like.

In an embodiment shown in FIG. 3, the parallel communications interface304 may be implemented using a four (4) wire full duplex cross switch308 with a dedicated connection to each I/O module 104/slave device. Inimplementations, each connection may be furnished using one or moreelectromagnetic connectors/connector assemblies (e.g., as previouslydescribed). The cross switch 308 can be implemented as a programmablecross switch connecting point-to-point busses and allowing trafficbetween the I/O modules 104/slave devices. The cross switch 308 may beconfigured by a master device, such as a communications/control module106. For example, the communications/control module 106/master devicemay configure one or more sets of registers included in the cross switch308 to control traffic between the I/O modules 104/slave devices. Inimplementations, a communications/control module 106/master device maycomprise a rule set dictating how the I/O modules 104/slave devices areinterconnected. For example, a communications/control module 106/masterdevice may comprise a set of registers, where each register defines theoperation of a particular switch (e.g., with respect to how packets areforwarded, and so forth). Thus, the cross switch 308 may not necessarilyauto-configure, instead implementing a configuration provided by acommunications/control module 106/the master device. However, thisconfiguration is provided by way of example only and is not meant to berestrictive of the present disclosure. Thus, in other implementations,the cross switch 308 may auto-configure.

The parallel communications interface 304 may be used for datacollection from the I/O modules 104/slave devices. Further, because eachI/O module 104/slave device has its own private bus to thecommunications/control module 106/master device, each I/O module104/slave device can communicate with the communications/control module106 at the same time. Thus, the total response time for the industrialcontrol system 100 (i.e., switch fabric 300) may be limited to that ofthe slowest I/O module 104/slave device, instead of the sum of all slavedevices, as in the case of a typical multidrop bus.

In implementations, the switch fabric 300, the serial communicationsinterface 302, and the parallel communications interface 304 may beimplemented in a single, monolithic circuit board, e.g., with multipleE-shaped core members of electromagnetic connectors extending throughthe circuit board. In implementations, the core members may bemechanically isolated from the circuit board (e.g., not touching thecircuit board). However, this configuration is provided by way ofexample only and is not meant to be restrictive of the presentdisclosure. Thus, the serial communications interface 302 and theparallel communications interface 304 may be implemented using differentarrangements of multiple components, such as multiple discretesemiconductor devices for implementing the serial communicationsinterface 302 and the parallel communications interface 304 separately,and so forth.

The switch fabric 300 may be configured for connecting one or more I/Omodules 104 (e.g., as slave devices) and transmitting data to and fromthe I/O modules 104. The I/O modules 104 may comprise input modules,output modules, and/or input and output modules. For instance, inputmodules can be used to receive information from input instruments in theprocess or the field, while output modules can be used to transmitinstructions to output instruments in the field. For example, an I/Omodule 104 can be connected to an image capture device 200 for detectingimage signals, spectral data, etc., or to a process sensor, such as asensor for measuring pressure in piping for a gas plant, a refinery, andso forth. In implementations, the I/O modules 104 can be used theindustrial control system 100 collect data in applications including,but not necessarily limited to critical infrastructure and/or industrialprocesses, such as product manufacturing and fabrication, utility powergeneration, oil, gas, and chemical refining; pharmaceuticals, food andbeverage, pulp and paper, metals and mining and facility and largecampus industrial processes for buildings, airports, ships, and spacestations (e.g., to monitor and control Heating, Ventilation, and AirConditioning (HVAC) equipment and energy consumption).

Data transmitted using the switch fabric 300 may be packetized, i.e.,discrete portions of the data may be converted into data packetscomprising the data portions along with network control information, andso forth. The industrial control system 100/switch fabric 300 may useone or more protocols for data transmission, including a bit-orientedsynchronous data link layer protocol such as High-Level Data LinkControl (HDLC). In a specific instance, the industrial control system100/switch fabric 300 may implement HDLC according to an InternationalOrganization for Standardization (ISO) 13239 standard, or the like.Further, two or more communications/control modules 106 can be used toimplement redundant HDLC. However, it should be noted that HDLC isprovided by way of example only and is not meant to be restrictive ofthe present disclosure. Thus, the industrial control system 100 may useother various communications protocols in accordance with the presentdisclosure.

The industrial control system 100 implements a secure control system, asdescribed in U.S. patent application Ser. No. 14/469,931 (issued as U.S.Pat. No. 9,191,203) and International Application No. PCT/US2013/053721,which are entirely incorporated herein by reference. For example, theindustrial control system 100 includes a security credential source(e.g., a factory 122) and a security credential implementer (e.g., a keymanagement entity 124). In embodiment, a device lifetime managementsystem can comprise the security credential implementer and the keymanagement entity. The security credential source is configured togenerate unique security credentials (e.g., keys, certificates, etc.,such as a unique identifier, and/or a security credential). The securitycredential implementer is configured to provision the controlelements/subsystems and/or industrial elements (e.g., cables, devices130, I/O modules 104, communications/control modules 106, power supplies112, and so forth) with a unique security credential generated by thesecurity credential source.

Multiple (e.g., every) device 130, I/O module 104,communications/control module 106, power supply 112, physicalinterconnect devices, etc., of the industrial control system 100 can beprovisioned with security credentials for providing security at multiple(e.g., all) levels of the industrial control system 100. Still further,the control elements/subsystems and/or industrial elements including thesensors and/or actuators and so forth, can be provisioned with theunique security credentials (e.g., keys, certificates, etc.) duringmanufacture (e.g., at birth), and can be managed from birth by a keymanagement entity 124 of the industrial control system 100 for promotingsecurity of the industrial control system 100. For example, the keymanagement entity 124 can provision unique security credentials forcomponents (e.g., for image capture devices 200 and other industrialcontrol system elements) at respective manufacturing sites, and the keymanagement entity 124 can be further configured to authenticate, revoke,or modify the security credentials when the components are implementedat a site different from each component's respective manufacturing site(e.g., when the component is installed/used in the industrial controlsystem 100)

In some embodiments, communications between the controlelements/subsystems and/or industrial elements including the sensorsand/or actuators and so forth, of the industrial control system 100includes an authentication process. The authentication process can beperformed for authenticating control elements/subsystem and/orindustrial elements including the sensors and/or actuators and so forth,implemented in the industrial control system 100. Further, theauthentication process can utilize security credentials associated withthe element and/or physical interconnect device for authenticating thatelement and/or physical interconnect device. For example, the securitycredentials can include encryption keys, certificates (e.g., public keycertificates, digital certificates, identity certificates, securitycertificates, asymmetric certificates, standard certificates,non-standard certificates) and/or identification numbers.

In implementations, multiple control elements/subsystems and/orindustrial elements of the industrial control system 100 are provisionedwith their own unique security credentials. For example, each element ofthe industrial control system 100 may be provisioned with its own uniqueset(s) of certificates, encryption keys and/or identification numberswhen the element is manufactured (e.g., the individual sets of keys andcertificates are defined at the birth of the element). The sets ofcertificates, encryption keys and/or identification numbers areconfigured for providing/supporting strong encryption. The encryptionkeys can be implemented with standard (e.g., commercial off-the-shelf(COTS)) encryption algorithms, such as National Security Agency (NSA)algorithms, National Institute of Standards and Technology (NIST)algorithms, or the like.

Based upon the results of the authentication process, the element beingauthenticated can be activated, partial functionality of the element canbe enabled or disabled within the industrial control system 100,complete functionality of the element can be enabled within theindustrial control system 100, and/or functionality of the elementwithin the industrial control system 100 can be completely disabled(e.g., no communication facilitated between that element and otherelements of the industrial control system 100). In this regard, eachelement (e.g., a communications/control module 102, an I/O module 104,or the like) may be configured to authenticate, revoke, or modify asecurity credential of another industrial control system element (e.g.,device 130, an image capture device 200, etc.) based upon success orfailure of the authentication sequence utilizing respective securitycredentials of the industrial control system elements.

In embodiments, the industrial control system elements can establishsecure communication paths or “tunnels” for securely transmittinginformation based upon the respective security credentials of theelements. For example, communications can be signed or encrypted by afirst (transmitting) element and authenticated (e.g., verified ordecrypted) by a second (receiving) element based upon the respectivesecurity credentials. In embodiments, an image capture device 200 can beconfigured to communicate data associated with processed image signals(e.g., image frames, spectral data, metadata, etc.) to acommunications/control module 106 or an I/O module 104 (or othercomponent of the industrial control system 100) via a secure tunnel. Insome embodiments, the image capture device 200 only communicatesinformation to a communications/control module 106 or an I/O module 104(or other component of the industrial control system 100) aftersuccessfully authenticating or being authenticated by the receivingdevice.

In embodiments, the keys, certificates and/or identification numbersassociated with an element of the industrial control system 100 canspecify the original equipment manufacturer (OEM) of that element. Asused herein, the term “original equipment manufacturer” or “OEM” can bedefined as an entity that physically manufactures the device (e.g.,element) and/or a supplier of the device such as an entity thatpurchases the device from a physical manufacturer and sells the device.Thus, in embodiments, a device can be manufactured and distributed(sold) by an OEM that is both the physical manufacturer and the supplierof the device. However, in other embodiments, a device can bedistributed by an OEM that is a supplier, but is not the physicalmanufacturer. In such embodiments, the OEM can cause the device to bemanufactured by a physical manufacturer (e.g., the OEM can purchase,contract, order, etc. the device from the physical manufacturer).

Additionally, where the OEM comprises a supplier that is not thephysical manufacturer of the device, the device can bear the brand ofthe supplier instead of brand of the physical manufacturer. For example,in embodiments where an element (e.g., a communications/control module106) is associated with a particular OEM that is a supplier but not thephysical manufacturer, the element's keys, certificates and/oridentification numbers can specify that origin. During authentication ofan element of the industrial control system 100, when a determination ismade that an element being authenticated was manufactured or supplied byan entity that is different than the OEM of one or more other elementsof the industrial control system 100, then the functionality of thatelement can be at least partially disabled within the industrial controlsystem 100. For example, limitations can be placed upon communication(e.g., data transfer) between that element and other elements of theindustrial control system 100, such that the element cannotwork/function within the industrial control system 100. When one of theelements of the industrial control system 100 requires replacement, thisfeature can prevent a user of the industrial control system 100 fromunknowingly replacing the element with a non-homogenous element (e.g.,an element having a different origin (a different OEM) than theremaining elements of the industrial control system 100) andimplementing the element in the industrial control system 100. In thismanner, the techniques described herein can prevent the substitution ofelements of other OEM's into a secure industrial control system 100. Inone example, the substitution of elements that furnish similarfunctionality in place of elements provided by an originating OEM can beprevented, since the substituted elements cannot authenticate andoperate within the originating OEM's system. In another example, a firstreseller can be provided with elements having a first set of physicaland cryptographic labels by an originating OEM, and the first reseller'selements can be installed in an industrial control system 100. In thisexample, a second reseller can be provided with elements having a second(e.g., different) set of physical and cryptographic labels by the sameoriginating OEM. In this example, the second reseller's elements may beprevented from operating within the industrial control system 100, sincethey may not authenticate and operate with the first reseller'selements. However, it should also be noted that the first reseller andthe second reseller may enter into a mutual agreement, where the firstand second elements can be configured to authenticate and operate withinthe same industrial control system 100. Further, in some embodiments, anagreement between resellers to allow interoperation can also beimplemented so the agreement only applies to a specific customer, groupof customers, facility, etc.

In another instance, a user can attempt to implement an incorrectlydesignated (e.g., mismarked) element within the industrial controlsystem 100. For example, the mismarked element can have a physicalindicia marked upon it which falsely indicates that the element isassociated with the same OEM as the OEM of the other elements of theindustrial control system 100. In such instances, the authenticationprocess implemented by the industrial control system 100 can cause theuser to be alerted that the element is counterfeit. This process canalso promote improved security for the industrial control system 100,since counterfeit elements are often a vehicle by which malicioussoftware can be introduced into the industrial control system 100. Inembodiments, the authentication process provides a secure air gap forthe industrial control system 100, ensuring that the secure industrialcontrol system is physically isolated from insecure networks.

In implementations, the secure industrial control system 100 includes akey management entity 124. The key management entity 124 can beconfigured for managing cryptographic keys (e.g., encryption keys) in acryptosystem. This managing of cryptographic keys (e.g., key management)can include the generation, exchange, storage, use, and/or replacementof the keys. For example, the key management entity 124 is configured toserve as a security credentials source, generating unique securitycredentials (e.g., public security credentials, secret securitycredentials) for the elements of the industrial control system 100. Keymanagement pertains to keys at the user and/or system level (e.g.,either between users or systems).

In embodiments, the key management entity 124 comprises a secure entitysuch as an entity located in a secure facility. The key managemententity 124 can be remotely located from the I/O modules 104, thecommunications/control modules 106, and the network 120. For example, afirewall 126 can separate the key management entity 124 from the controlelements or subsystems 102 and the network 120 (e.g., a corporatenetwork). In implementations, the firewall 126 can be a software and/orhardware-based network security system that controls ingoing andoutgoing network traffic by analyzing data packets and determiningwhether the data packets should be allowed through or not, based on arule set. The firewall 126 thus establishes a barrier between a trusted,secure internal network (e.g., the network 120) and another network 128that is not assumed to be secure and trusted (e.g., a cloud and/or theInternet). In embodiments, the firewall 126 allows for selective (e.g.,secure) communication between the key management entity 124 and one ormore of the control elements or subsystems 102 and/or the network 120.In examples, one or more firewalls can be implemented at variouslocations within the industrial control system 100. For example,firewalls can be integrated into switches and/or workstations of thenetwork 120.

The secure industrial control system 100 can further include one or moremanufacturing entities (e.g., factories 122). The manufacturing entitiescan be associated with original equipment manufacturers (OEMs) for theelements of the industrial control system 100. The key management entity124 can be communicatively coupled with the manufacturing entity via anetwork (e.g., a cloud). In implementations, when the elements of theindustrial control system 100 are being manufactured at one or moremanufacturing entities, the key management entity 124 can becommunicatively coupled with (e.g., can have an encrypted communicationspipeline or tunnel to) the elements. The key management entity 124 canutilize the communications pipeline for provisioning the elements withsecurity credentials (e.g., inserting keys, certificates and/oridentification numbers into the elements) at the point of manufacture.

Further, when the elements are placed into use (e.g., activated), thekey management entity 124 can be communicatively coupled (e.g., via anencrypted communications pipeline) to each individual element worldwideand can confirm and sign the use of specific code, revoke (e.g., remove)the use of any particular code, and/or enable the use of any particularcode. Thus, the key management entity 124 can communicate with eachelement at the factory where the element is originally manufactured(e.g., born), such that the element is born with managed keys. A masterdatabase and/or table including all encryption keys, certificates and/oridentification numbers for each element of the industrial control system100 can be maintained by the key management entity 124. The keymanagement entity 124, through its communication with the elements, isconfigured for revoking keys, thereby promoting the ability of theauthentication mechanism to counter theft and re-use of components.

In implementations, the key management entity 124 can be communicativelycoupled with one or more of the control elements/subsystems, industrialelements, and/or the network 120 via another network (e.g., a cloudand/or the Internet) and firewall. For example, in embodiments, the keymanagement entity 124 can be a centralized system or a distributedsystem. Moreover, in embodiments, the key management entity 124 can bemanaged locally or remotely. In some implementations, the key managemententity 124 can be located within (e.g., integrated into) the network 120and/or the control elements or subsystems 102. The key management entity124 can provide management and/or can be managed in a variety of ways.For example, the key management entity 124 can be implemented/managed:by a customer at a central location, by the customer at individualfactory locations, by an external third party management company and/orby the customer at different layers of the industrial control system100, and at different locations, depending on the layer.

Varying levels of security (e.g., scalable, user-configured amounts ofsecurity) can be provided by the authentication process. For example, abase level of security can be provided which authenticates the elementsand protects code within the elements. Other layers of security can beadded as well. For example, security can be implemented to such a degreethat a component, such as the communications/control module 106, cannotpower up without proper authentication occurring. In implementations,encryption in the code is implemented in the elements, while securitycredentials (e.g., keys and certificates) are implemented on theelements. Security can be distributed (e.g., flows) through theindustrial control system 100. For example, security can flow throughthe industrial control system 100 all the way to an end user, who knowswhat a module is designed to control in that instance. In embodiments,the authentication process provides encryption, identification ofdevices for secure communication and authentication of system hardwareor software components (e.g., via digital signature).

In implementations, the authentication process can be implemented toprovide for and/or enable interoperability within the secure industrialcontrol system 100 of elements manufactured and/or supplied by differentmanufacturers/vendors/suppliers (e.g., OEMs). For example, selective(e.g., some) interoperability between elements manufactured and/orsupplied by different manufacturers/vendors/suppliers can be enabled. Inembodiments, unique security credentials (e.g., keys) implemented duringauthentication can form a hierarchy, thereby allowing for differentfunctions to be performed by different elements of the industrialcontrol system 100.

The communication links connecting the components of the industrialcontrol system 100 can further employ data packets, such as runt packets(e.g., packets smaller than sixty-four (64) bytes), placed (e.g.,injected and/or stuffed) therein, providing an added level of security.The use of runt packets increases the level of difficulty with whichoutside information (e.g., malicious content such as false messages,malware (viruses), data mining applications, etc.) can be injected ontothe communications links. For example, runt packets can be injected ontoa communication link within gaps between data packets transmittedbetween the action originator 204 and the communications/control module106 or any other industrial element/controller 206 to hinder an externalentity's ability to inject malicious content onto the communicationlink.

As shown in FIGS. 4 and 5, the I/O module 104, communications/controlmodule 106, or any other industrial element/controller 406 can be atleast partially operated according to requests/commands from an actionoriginator 402. For example, the action originator 402 can access datafrom and/or send instructions/requests associated with setting oradjusting one or more system variables for the image capture device 200or a field device 130 coupled to the IOM 104 or CCM 106. Inimplementations, the action originator 402 includes an operatorinterface 408 (e.g., SCADA or HMI), an engineering interface 410including an editor 412 and a compiler 414, a local application 420, aremote application 416 (e.g., communicating through a network 418 via alocal application 420), or the like. In the authentication path 400illustrated in FIGS. 4 and 5, the industrial element/controller 406(e.g., IOM 104 or CCM 106) processes an operator action (e.g., requestfor data, instruction to change/adjust one or more system variables,engineering interface command, control command, firmware/softwareupdate, set point control, application image download, or the like) onlywhen the operator action has been signed and/or encrypted by an actionauthenticator 404 or a communication (e.g., authentication message)associated with the operator action is signed and/or encrypted. Thisprevents unauthorized operator actions from valid user profiles andfurther secures the system from unauthorized action requests coming frominvalid (e.g., hacked) profiles. In embodiments, an actionauthentication process is implemented as described in U.S. patentapplication Ser. No. 14/519,066, which is incorporated herein byreference in its entirety.

The action authenticator 404 may include a storage medium with a privatekey stored thereon and a processor configured to sign and/or encrypt theaction request generated by the action originator 402 with the privatekey. The private key can be stored in a memory that cannot be accessedvia standard operator login. For instance, the secured workstation 426can require a physical key, portable encryption device (e.g., smartcard, RFID tag, or the like), and/or biometric input for access. Inembodiments, the private key (e.g., security credential) can beprovisioned by an onsite or offsite key management entity (e.g., onsitedevice lifecycle management system (“DLM”) 422) or a remotely locatedDLM 422 connected via the network 418).

In some embodiments, the action authenticator 404 includes a portableencryption device such as a smart card 424 (which can include a securedmicroprocessor). The advantage of using a portable encryption device isthat the entire device (including the privately stored key and processorin communication therewith) can be carried with an operator or user thathas authorized access to an interface of the action originator 402.Whether the action authentication node 404 accesses the authenticationpath 400 via secured or unsecured workstation, the action request fromthe action originator 402 can be securely signed and/or encrypted withinthe architecture of the portable encryption device instead of apotentially less secure workstation or cloud-based architecture. Thissecures the industrial control system 100 from unauthorized actions. Forinstance, an unauthorized person would have to physically takepossession of the smart card 424 before being able to authenticate anyaction requests sent via the action originator 402.

Furthermore, multiple layers of security can be employed. For example,the action authenticator 404 can include a secured workstation 426 thatis only accessible to sign and/or encrypt action requests via smart cardaccess or the like. Additionally, the secured workstation 426 can beaccessible via a biometric or multifactor cryptography device 428 (e.g.,fingerprint scanner, iris scanner, and/or facial recognition device). Insome embodiments, a multifactor cryptography device 428 requires a validbiometric input before enabling the smart card 424 or other portableencryption device to sign the action request.

The industrial element/controller 406 being driven by the actionoriginator 402 is configured to receive the signed action request,verify the authenticity of the signed action request, and perform arequested action when the authenticity of the signed action request isverified. In some embodiments, the industrial element/controller 406includes a storage medium 430 (e.g., SD/micro-SD card, HDD, SSD, or anyother non-transitory storage device) configured to store the actionrequest (e.g., application image, control command, and/or any other datasent by the action originator). The industrial element/controller 406further includes a processor 432 (e.g., microcontroller, microprocessor,ASIC, or the like) that performs/executes code associated with theoperator action (i.e., performs a requested action) after authenticatingthe operator action or communication associated therewith. In someembodiments, the operator action is encrypted by the action originator402 and/or the action authenticator 432 and must also be decrypted bythe processor 432 before the requested action can be performed. Inimplementations, the industrial element/controller 406 includes avirtual key switch 434 (e.g., a software module running on the processor432) that enables the processor 432 to execute the operator action onlyafter authenticating the operator action or communication associatedtherewith. For example, the virtual key switch 434 can be configured toselectively enable/disable one or more operating modes of the processor432 (e.g., safe mode, standard operational mode, secure operating mode,etc.). In some embodiments, each and every action or each one of aselection of critical actions must clear the authentication path beforebeing run on by the industrial element/controller 406. For example, thecan include any change of parameters/process variables or data requestssent for the image capture device 200 or a field device 130.

As discussed above, for further security, the image capture device 200can be configured to perform an authentication sequence or handshake toauthenticate with an external device (e.g., IOM 104 or CCM 106) that theimage capture device 200 is connected to. The authentication can occurat predefined events or times including such as startup, reset,installation of an image capture device 200, replacement of an imagecapture device 200, periodically, at scheduled times, and so forth. Bycausing the image capture device 200 to authenticate with externaldevices to which the image capture device 200 is coupled, counterfeit ormaliciously introduced image capture devices 200 can be avoided. Inimplementations, the external device can at least partially disable afeature of the image capture device 200 or prevent communications withthe image capture device 200 when the authentication is unsuccessful.

FIG. 6 shows example datagrams 500 transmitted between an image capturedevice 200 and an external device (e.g., IOM 104 or CCM 106) inperformance of the authentication sequence. To initiate theauthentication sequence, the external device is configured to transmit arequest datagram 502 to the image capture device 200. Inimplementations, the request datagram 502 includes a first plain textnonce (NonceA), a first device authentication key certificate (CertDAKA)containing a first device authentication key (DAKA), and a firstidentity attribute certificate (IACA). In some embodiments, the externaldevice is configured to generate the first nonce (NonceA) with a truerandom number generator (hereinafter “TRNG”) and concatenate orotherwise combine the first nonce (NonceA), the first deviceauthentication key certificate (CertDAKA), and the first identityattribute certificate (IACA) to generate the request datagram 502. Insome embodiments, the first device authentication key certificate(CertDAKA) and the first identity attribute certificate (IACA) arelocally stored by the external device. For example, the certificates maybe stored in a local memory (e.g., ROM, RAM, flash memory, or othernon-transitory storage medium) of an I/O module 104 orcommunications/control module 106.

The image capture device 200 is configured to validate the requestdatagram by verifying the first device authentication key certificate(CertDAKA) and the first identity attribute certificate (IACA) withpublic keys that are generated by a device lifecycle management system(DLM) or derived utilizing crypto library functions. In this regard, thepublic keys may be stored in SRAM or another local memory of the imagecapture device 200 and used with crypto library functions to verify orcryptographically sign exchanged data, such as the nonces exchangedbetween the external device and the image capture device 200. In someembodiments, the image capture device 200 may verify the certificateswith an elliptic curve digital signing algorithm (hereinafter “ECDSA”)or other verification operation. In some embodiments, the image capturedevice 200 may be further configured to validate the certificate valuesfrom plain text values by verifying the following: certificate type isdevice authentication key (hereinafter “DAK”) or identity attributecertificate (hereinafter “IAC”) for each certificate; IAC names match,DAK certificate module type matches module type argument; and/ormicroprocessor serial number (hereinafter “MPSN”) of each certificate inthe message payload match each other. In some embodiments, the imagecapture device 200 may be further configured to verify the DAK and IACcertificates are not in a local revocation list (e.g., a list ordatabase including revoked and/or invalid certificates). When the imagecapture device 200 fails to validate the request datagram, the imagecapture device 200 may generate an error message, partially orcompletely disable the external device, and/or discontinue or restrictcommunications to/from the external device.

Responsive to a valid request datagram 502, the image capture device 200is configured to transmit a response datagram 504 to the externaldevice. In implementations, the response datagram 504 includes a secondplain text nonce (NonceB), a first signature associated with the firstand second nonces (SigB[NonceA∥NonceB]), a second device authenticationkey certificate (certDAKB) containing a second device authentication key(DAKB), and a second identity attribute certificate (IACB). In someembodiments, the image capture device 200 is configured to generate thesecond nonce (NonceB) with a TRNG, concatenate or otherwise combine thefirst nonce (NonceA) and the second nonce (NonceB), and sign theconcatenated/combined nonces with a private key (e.g., DAK) that islocally stored by the image capture device 200. The image capture device200 is further configured to concatenate or otherwise combine the secondnonce (NonceB), the first signature associated with the first and secondnonces (SigB[NonceA∥NonceB]), the second device authentication keycertificate (certDAKB), and the second identity attribute certificate(IACB) to generate the response datagram 504. In some embodiments, thesecond device authentication key certificate (CertDAKB) and the secondidentity attribute certificate (IACB) are locally stored by the imagecapture device 200. For example, the certificates may be stored in alocal memory (e.g., ROM, RAM, flash memory, or other non-transitorystorage medium) of the image capture device 200.

The external device is configured to validate the response datagram byverifying the second device authentication key certificate (CertDAKB)and the second identity attribute certificate (IACB) with public keysthat are locally stored or retrieved from a crypto library utilizingECDSA or another verification operation. In some embodiments, theexternal device may be further configured to validate the certificatevalues from plain text values by verifying the following: IAC & DAKcertificates have matching MPSNs, IAC names match, certificate types arecorrect on both certificates (IAC & DAK), the correct issuer name is onboth certificates, DAK module type is the correct type (e.g., check tosee if module type=communications/control module). In some embodiments,the external device may be further configured to verify the DAK and IACcertificates are not in a local revocation list.

To validate the response datagram, the external device may be furtherconfigured to verify the first signature associated with the first andsecond nonces (sigB[NonceA∥NonceB]). In some embodiments, the externaldevice is configured to verify the first signature (sigB[NonceA∥NonceB])by concatenating the first locally stored nonce (NonceA) and the secondplaintext nonce (NonceB) received from the image capture device 200,verifying the first cryptographic signature (sigB[NonceA∥NonceB]) with apublic device authentication key (e.g., using DAKB from certDAKB), andcomparing the locally generated concatenation of the first nonce and thesecond nonce with the cryptographically verified concatenation of thefirst nonce and the second nonce. When the external device fails tovalidate the response datagram, the external device may generate anerror message, partially or completely disable the image capture device200, and/or discontinue or restrict communications to/from the imagecapture device 200.

The external device is further configured to transmit an authenticationdatagram 506 to the image capture device 200 when the response datagram504 is valid. In implementations, the authentication datagram 506includes a second signature associated with the first and second nonces(sigA[NonceA∥NonceB]). In some embodiments, the external device isconfigured to sign the locally generated concatenation of the first andsecond nonces a private key (e.g., DAK) that is locally stored by theexternal device. When the response datagram is invalid, theauthentication datagram 506 may be replaced with a “failed”authentication datagram 506 including a signature associated with thesecond nonce and an error reporting (e.g., “failure”) message(sigA[NonceB∥Error]) generated by the external device.

Responsive to the authentication datagram 506, the image capture device200 may be further configured to transmit a responsive authenticationdatagram 508 to the external device. In implementations, the responsiveauthentication datagram 508 includes a signature associated with thefirst nonce and an error reporting (e.g., “success” or “failure”)message (sigB[NonceA∥Error]) generated by the image capture device 200.In some embodiments, the image capture device 200 is configured tovalidate the authentication datagram 506 by verifying the secondsignature associated with the first and second nonces(sigA[NonceA∥NonceB]). In some embodiments, the image capture device 200is configured to verify the second signature (sigA[NonceA∥NonceB]) byconcatenating the first plaintext nonce (NonceA) received from theexternal device and the second locally stored nonce (NonceB), verifyingthe second cryptographic signature (sigA[NonceA∥NonceB]) with a publicdevice authentication key (e.g., using DAKA from certDAKA), andcomparing the locally generated concatenation of the first nonce and thesecond nonce with the cryptographically verified concatenation of thefirst nonce and the second nonce. In addition to the error reportingmessage, when the image capture device 200 fails to validate theauthentication datagram, the image capture device 200 may partially orcompletely disable the external device, and/or discontinue or restrictcommunications to/from the external device.

In some implementations, the roles of the image capture device 200 andexternal device, as described above, can be reversed. In someimplementations, the external device and the image capture device arearranged according to a “master-slave” configuration, where the master(e.g., the external device) may be configured to authenticate the slave(e.g., the image capture device 200). In the event of a failedauthentication, the master may at least partially disable or restrictcommunications to/from the unauthenticated slave. Alternatively, afailed authentication may result in both devices or a pseudo-secondarydevice being partially or completely disabled. For example, for enhancedsecurity, the external device (e.g., IOM 104 or CCM 106) and the imagecapture device 200 can be disabled should they fail to successfullycomplete the authentication sequence.

Each of the industrial control system elements described herein mayinclude circuitry and/or logic enabled to perform the functionsdescribed herein. For example, each industrial control system element(e.g., IOM 104, CCM, 106, image capture device 200, and so forth) mayinclude a processor configured to execute program instructions storedpermanently, semi-permanently, or temporarily by a non-transitorymachine readable medium such as a hard disk drive (HDD), solid-statedisk (SDD), optical disk, magnetic storage device, flash drive, or thelike. Furthermore, as described above, the industrial control elementsherein can be provisioned with unique security credentials, either whenplaced in use or at birth (e.g., at the site of manufacture) by the keymanagement entity 124 (which may be the same key management entity forall industrial control system elements). These security credentials canbe stored in secure memory of each device (e.g., in an encryptedmemory). Moreover, authentication of any operator action, request,datagram, and the like can occur within the confines of each industrialcontrol system element (e.g., using the embedded security credential(s)and processor of each element, rather than via an externalauthenticator). In this regard, intrinsic security can be implemented ateach level/layer of the industrial control system 100.

It should be understood that any of the functions described herein canbe implemented using hardware (e.g., fixed logic circuitry such asintegrated circuits), software, firmware, manual processing, or acombination thereof. Thus, the blocks, operations, functions, or stepsdiscussed in the above disclosure generally represent hardware (e.g.,fixed logic circuitry such as integrated circuits), software, firmware,or a combination thereof. In the instance of a hardware configuration,the various blocks discussed in the above disclosure may be implementedas integrated circuits along with other functionality. Such integratedcircuits may include all of the functions of a given block, system, orcircuit, or a portion of the functions of the block, system, or circuit.Further, elements of the blocks, systems, or circuits may be implementedacross multiple integrated circuits. Such integrated circuits maycomprise various integrated circuits, including, but not necessarilylimited to: a monolithic integrated circuit, a flip chip integratedcircuit, a multichip module integrated circuit, and/or a mixed signalintegrated circuit. In the instance of a software implementation, thevarious blocks discussed in the above disclosure represent executableinstructions (e.g., program code) that perform specified tasks whenexecuted on a processor. These executable instructions can be stored inone or more tangible computer readable media. In some such instances,the entire system, block, or circuit may be implemented using itssoftware or firmware equivalent. In other instances, one part of a givensystem, block, or circuit may be implemented in software or firmware,while other parts are implemented in hardware.

Although the subject matter has been described in language specific tostructural features and/or process operations, it is to be understoodthat the subject matter defined in the appended claims is notnecessarily limited to the specific features or acts described above.Rather, the specific features and acts described above are disclosed asexample forms of implementing the claims.

1. An image capture device for a secure industrial control system,comprising: an image sensor; a signal processor coupled to the imagesensor; and a controller for managing the signal processor andtransmitting data associated with processed image signals to at leastone of an input/output module or a communications/control module via acommunications interface that couples the controller to the at least oneof the input/output module or the communications/control module, whereinthe controller is configured to establish an encrypted tunnel betweenthe controller and the at least one of the input/output module or thecommunications/control module based upon a unique security credential ofthe image capture device and a unique security credential of the atleast one of the input/output module or the communications/controlmodule, wherein the image capture device is provisioned with the uniquesecurity credential, and wherein the unique security credential of theimage capture device is at least one of modifiable or revocable, by theat least one of the input/output module or the communications/controlmodule.
 2. The image capture device of claim 1, wherein the controlleris further configured to perform an authentication sequence with the atleast one of the input/output module or the communications/controlmodule utilizing the unique security credential of the image capturedevice and the unique security credential of the at least one of theinput/output module or the communications/control module.
 3. (canceled)4. The image capture device of claim 1, wherein the unique securitycredential of the image capture device is at least one of modifiable,revocable, or authenticatable by the key management entity at a sitedifferent from a respective point of manufacture of the image capturedevice.
 5. The image capture device of claim 1, wherein the uniquesecurity credential of the image capture device is authenticatable bythe at least one of the input/output module or thecommunications/control module.
 6. The image capture device of claim 1,wherein the communications interface is configured to connect thecontroller, via the at least one of the input/output module or thecommunications/control module, to a communications backplane including aserial communications interface and a parallel communications interface.7. The image capture device of claim 6, wherein the communicationsinterface comprises a Power Over Ethernet (POE) port for receiving powersupplied by the at least one of the input/output module or thecommunications/control module.
 8. The image capture device of claim 1,wherein the one or more processed image signals include spectral datadetected by the image sensor.
 9. The image capture device of claim 8,wherein the controller is configured to transmit the spectral data formonitoring one or more industrial control system environmentalconditions including an environmental presence of one or more of: fire,dust, smoke, micro-particles, heat, moisture, elevated pressure, gas, orradiation.
 10. A secure industrial control system, comprising: acommunications/control module provisioned with a first unique securitycredential; an input/output module provisioned with a second uniquesecurity credential; a communications backplane that physically andcommunicatively couples the communications/control module to theinput/output module; and an image capture device provisioned with athird unique security credential and comprising: an image sensor; asignal processor coupled to the image sensor; and a controller formanaging the signal processor and transmitting data associated withprocessed image signals to at least one of the input/output module orthe communications/control module via a communications interface thatcouples the controller to the at least one of the input/output module orthe communications/control module, wherein the controller is configuredto establish an encrypted tunnel between the controller and the at leastone of the input/output module or the communications/control modulebased upon the third unique security credential of the image capturedevice and at least one of the first and second unique securitycredential associated with the at least one of the input/output moduleor the communications/control module, and wherein the third uniquesecurity credential of the image capture device is at least one ofmodifiable or revocable by the at least one of the input/output moduleor the communications/control module.
 11. The secure industrial controlsystem of claim 10, wherein the controller is further configured toperform an authentication sequence with the at least one of theinput/output module or the communications/control module based on thethird unique security credential of the image capture device and atleast one of the first and second unique security credentials associatedwith the at least one of the input/output module or thecommunications/control module.
 12. (canceled)
 13. The secure industrialcontrol system of claim 10, wherein the third unique security credentialof the image capture device is at least one of modifiable, revocable, orauthenticatable by the key management entity at a site different from arespective point of manufacture.
 14. The secure industrial controlsystem of claim 10, wherein third unique security credential of theimage capture device is authenticatable by the at least one of theinput/output module or the communications/control module.
 15. The secureindustrial control system of claim 10, wherein the communicationsinterface is configured to connect the controller, via the at least oneof the input/output module or the communications/control module, to thecommunications backplane, wherein the communications backplane includesa serial communications interface and a parallel communicationsinterface.
 16. The secure industrial control system of claim 15, whereinthe communications interface comprises a Power Over Ethernet (POE) portfor receiving power supplied by the at least one of the input/outputmodule or the communications/control module.
 17. The secure industrialcontrol system of claim 10, wherein the one or more processed imagesignals include spectral data detected by the image sensor.
 18. Thesecure industrial control system of claim 17, wherein the controller isconfigured to transmit the spectral data for monitoring one or moreindustrial control system environmental conditions including anenvironmental presence of one or more of: fire, dust, smoke,micro-particles, heat, moisture, elevated pressure, gas, or radiation.19. The secure industrial control system of claim 10, wherein at leastone of the communications/control module or the input/output module isconfigured to preprocess or post-process image signals received from theimage capture device before transmitting the image signals to anotherindustrial element of the secure industrial control system or a networkconnected device.
 20. A secure industrial control system, comprising: acommunications/control module provisioned with a first unique securitycredential; an input/output module provisioned with a second uniquesecurity credential; a communications backplane that physically andcommunicatively couples the communications/control module to theinput/output module, the communications backplane including a serialcommunications interface for connecting the input/output module to thecommunications/control module and a parallel communications interfaceconfigured for separately connecting the input/output module to thecommunications/control module; and an image capture device provisionedwith a third unique security credential and comprising: an image sensor;a signal processor coupled to the image sensor; and a controller formanaging the signal processor and transmitting data associated withprocessed image signals to at least one of the input/output module orthe communications/control module via a communications interface thatcouples the controller to the at least one of the input/output module orthe communications/control module based upon the third unique securitycredential and at least one of the first and second unique securitycredentials associated with the at least one of the input/output moduleor the communications/control module, and wherein the third uniquesecurity credential of the image capture device is at least one ofmodifiable or revocable by the at least one of the input/output moduleor the communications/control module.